2 issues with ldap authentication: wrong ldapsearch and \ escape character doesn't work

Hello,
(I hope everyone’s well)

Anyway I have 2 big issues with LDAP authentications (I use LDAP authenticator 9.4.4)…

First, my ldapsearch found a user id with this filter

xwiki.authentication.ldap.user_group=(&(objectClass=mineqPerson)(!(mineqZone=EXTERNE)))

but when I use the same filter in xwiki.cfg this user have denied access…
I compare 2 ldap entries users (one allowed to connect at xwiki) and found that user attribute are sorted differently
ie pascal.bxxx is allowed to login on xwiki but not xwiki.lecteur

ldapsearch -h myldap.fr -x -b ou=xxx,dc=fr '(&(objectClass=mineqPerson)(!(mineqZone=EXTERNE)))'

displayed these users

# xwiki.lecteur xxxxxxxxx
dn: uid=xwiki.lecteurxxxxxxxxxxxxxxxxxx
mineqAccesInternet: INITIAL
givenName: Xwiki
mineqZone: EQUIP
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: mineqPerson
objectClass: calEntry
objectClass: sambaSamAccount
objectClass: posixAccount

xwiki logs displayed:
com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user xwiki.lecteur does not belong to LDAP group (&(objectClass=mineqPerson)(!(mineqZone=EXTERNE))).


# pascal.bxxx xxxxxxxxxxxxxxxxx
dn: uid=pascal.bxxxxxxxxxxxxxxxxxxxx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: mineqMelBoite
objectClass: calEntry
objectClass: mineqPerson
objectClass: sambaSamAccount
objectClass: posixAccount
mineqTypeEntree: BALI
mineqMelRemise: LMTP
mineqMelServeurPrincipal: xxxx
calFBURL: https://axxxxx
mineqZone: EQUIP

xwiki logs displayed:
- Checking if the user belongs to the user group: (&(objectClass=mineqPerson)(!(mineqZone=EXTERNE))) 
2020-04-03 14:16:43,895 [https://myxwiki.fr/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         
- Found cache entry for group [(&(objectClass=mineqPerson)(!(mineqZone=EXTERNE)))] 
2020-04-03 14:16:43,895 [https://myxwiki.fr/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils   
- Checking if the user belongs to the user group: (&(objectClass=mineqPerson)(!(mineqZone=EXTERNE)))       
- Found group [(&(objectClass=mineqPerson)(!(mineqZone=EXTERNE)))]
- Found user dn in user group [uid=pascal.bxxx,

Second issue, \ character didn’t work when I map xwiki and ldap groups with this filter:

LDAP log displayed tant \ escape character didn’t work!

my xwiki.cfg:

xwiki.authentication.ldap.group_mapping=XWiki.GF_SNUM=(&(objectClass=mineqPerson)(\|(departmentNumber=SG/SPSSI/CPII*)(departmentNumber=SG/SNUM*)(departmentNumber=SG/SPSSI/SIAS*)))

I escape | (or) LDAP instruction with \

and ldap logs displayed:

- [(&(objectClass=mineqPerson)(] is not a valid LDAP filter, lets try id 

and

- [SG/SPSSI/CPII*)(departmentNumber=SG/SNUM*)(departmentNumber=SG/SPSSI/SIAS*)))] is not a valid LDAP filter, lets try id 
com.novell.ldap.LDAPLocalException: Filter Error

ldapsearch working well with same ldap query (without \ of course).

Thxs for any help

Pascal B

hey, been 8 months since you last posted! How are you? How’s your xwiki usage going?

Hope you’re safe during this covid crisis!

Take care

I’m fine ty.
Hope every xwiki task force are well too against covid.
Actually I’m working less on xwiki because I’m working on gitlab/openstacks & Co (lot to do and learn)
Of course we use xWiki, like you see I try to open it at more users (because covid crisis and home worker )

Nice. FWIW: https://extensions.xwiki.org/xwiki/bin/view/Extension/gitlab%20Application/

cool

Why I’m not surprise ? Of course there are a xwiki extension!
ty

I think first issue because

xwiki.authentication.ldap.user_group=(&(objectClass=mineqPerson)(!(mineqZone=EXTERNE)))

return too many users in cache… and last ones could not login on xwiki…
With a low level of xwiki.authentication.ldap.base_DN= parameter it’s working
Unfortunaly I need to use xwiki.authentication.ldap.user_group filter on all my LDAP directory

I workaround this issue with xwiki.authentication.ldap.exclude_group setting instead